setting up Directory-based authentication
by Sérgio Pereira
Hi there,
Im having a hard time setting up the directory-based authentication for
dogtag 10.3.3-1. I did follow the instructions as
http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and I get
an error when trying to bind/authenticate against directory service
(Microsoft AD2008) as follows:
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication:
authenticate: before authenticate() call
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication:
Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User
authentication failure: netscape.ldap.LDAPException: error result (1);
000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v1772
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing bad
connection
The directives (bellow) are used to bind the AD2008 and I already tested the
account and it is working.
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
Account,ou=IT,dc=domain,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
John Luk is applying for the certificate using the web enrollment process
(caDirUserCert profile).
What am I missing?
Thx,
sergio
8 years, 2 months
CertClient.enrollRequest not returning a certId
by David Kinghorn
Hey guys, using pki 10.2.5.6 with the java client, I am able to enroll a
cert request, but I do not get a cert id or any other meaningful
information back. The result.getEntries() collection is empty. Does anyone
know what I need to do to have it return the cert id? This is based on the
example here:
https://git.fedorahosted.org/cgit/pki.git/tree/base/java-tools/src/com/ne...
The
code is below: CertEnrollmentRequest enrollmentRequest =
client.getEnrollmentTemplate(config.getRemoteAssetCertProfileId()); for
(ProfileInput input : enrollmentRequest.getInputs()) { ProfileAttribute
typeAttribute = input.getAttribute("cert_request_type"); if (typeAttribute
!= null) { typeAttribute.setValue("pkcs10"); } ProfileAttribute
requestAttribute = input.getAttribute("cert_request"); if (requestAttribute
!= null) { requestAttribute.setValue(certData); } } CertRequestInfos result
= client.enrollRequest(enrollmentRequest);
System.out.println("Entry count: " + result.getEntries().size());
I get an entry count of 0.
Thanks,
~ David
8 years, 2 months
Jar files versions for java pki client
by David Kinghorn
Hi,
I'm trying to use the java client in the link below (using nss
authentication), but I'm running into issues finding the right versions of
the various jar files listed.
http://pki.fedoraproject.org/wiki/Java_Key_Client_API#Setting_up_Buildpat...
I am getting inundated NoClassDefFoundError, IncompatibleClassChangeError
and the like presumably due to the wrong version of certain jar files. Is
there a guide on which version of the various files are required? In
particular, I'm having an issue with conflicts between the following two
dependencies, but there are probably more.
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
<version>2.0-m12</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.0.18.Final</version>
</dependency>
This is on Red Hat Enterprise Linux Server release 7.2 (Maipo) with
jss-4.2.6-37.el7.x86_64 and pki 10.2.5.6 I am using java 7 on tomcat 7
using maven to build the war file Thanks, ~ David
8 years, 2 months
Unknown Certificate Request Type error on enrolling PKCS10 csr in java
by David Kinghorn
Hey guys,
I'm trying to upload a csr to the ca in java and am getting a "Unknown
Certificate Request Type" error. There seems to be no documentation on
this. Any help what I'm doing wrong would be great. My code is as follows:
MultivaluedMap<String, String> enrollmentRequestMap = new
MultivaluedMapImpl();
enrollmentRequestMap.add("cert_request_type", "pkcs10");
enrollmentRequestMap.add("cert_request", certData);
CertEnrollmentRequest enrollmentRequest = new CertEnrollmentRequest(
enrollmentRequestMap);
enrollmentRequest.setProfileId(config.getRemoteAssetCertProfileId());
CertRequestInfos result = client.enrollRequest(enrollmentRequest);
Thanks,
~ David
8 years, 2 months
Unable to spawn CA when using HSM
by Lionel Beard
Hi,
I'm trying to create a CA with a Atos/Bull HSM backend.
I have created a configuration file default_hsm.cfg with hsm options
enabled and configured, and I have set HSM token and password.
When I run the command:
# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
I get the error:
pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn : INFO ....... constructing PKI configuration data.
pkispawn : INFO ....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin(a)cls.fr
,o=cls.fr Security Domain -k rsa -g 2048 -z
/root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid
Token provided. No such token*."}
pkispawn : DEBUG ....... Error Type: ParseError
pkispawn : DEBUG ....... Error Message: not well-formed (invalid
token): line 1, column 0
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in
main
rv = instance.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line
3872, in configure_pki_data
root = ET.fromstring(e.response.text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
parser.feed(text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
self._raiseerror(v)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
raise err
Installation failed.
Just after pki service restart.
I don't know which "Token" is it talking about, not sure it is HSM token.
HSM is working fine because it is previously added to database with modutil:
# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb
Bull TrustWay Proteccio NetHSM 2.4
Configuration read from /etc/proteccio//proteccio.rc
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nethsm
library name: /usr/lib64/libnethsm.so
slots: 8 slots attached
status: loaded
slot: Trustway Crypto Engine Slot
token: nethsm1_V1
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
-----------------------------------------------------------
Of course, I have updated default_hsm.cfg file according to Redhat
documentation to enable HSM et put HSM token name and password:
# grep hsm /etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1
I have tried with interactive installation (so with no HSM), and it is
working fine.
Does anyone can help me?
Thanks!
8 years, 2 months
Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 2 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 2 months
Dog-Tag Automatic Enrolment
by Chathuranga Gunatillake
This question is regarding automation of the certificate enrolment process.
The requirement in simple terms would be,
1. CA receives user certificate request (CSR)
2. CA generates certificate
3. Certificate gets delivered to respective user
Basically the functions of an RA but remotely. I have looked into SCEP
based process. I would like to know, (?)
- Any methods of by evading the current shortcomings of SCEP
- Any newer technologies / methods that are available
- Any suggestions as to how this process could be achieved with a
different architecture
- Any functions that support this within the current profiles
Regards,
Chathuranga
8 years, 2 months
Intermediate CA
by Carlos Barrabes
Hello,
Im trying to create an intermediate CA so I can issue certificates with
a trust path pointing to our RootCA but I'm facing some issues while
following the documentation in the project's site.
Once I'm done with step two, you import the external and ca-signing
certificates into a users NSS db and then the wiki says you have to
import the CA admin certificate and key but the problem is there is no
such thing after starting the instance via custom config file or I
simply cannot find them.
Any suggestions?
Thanks for your time!
I am running Dogtag 10.2.6-12 on a Fedora 22 server machine and the
prodecure Im following is this one:
http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_...
8 years, 3 months
log4j error when creating new user.
by Chareon
I'm getting the below error message when attempting to add a new user.
Where should I be looking to troubleshoot this issue?
root@newca:~# pki -c Secret123 -n caadmin ca-user-add newuser --fullName
"New User"
log4j:WARN No appenders could be found for logger
(org.jboss.resteasy.plugins.providers.DocumentProvider).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
more info.
ProcessingException: Unable to invoke request
Here is the content of the log4j.properties file in case it helps.
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2012 Red Hat, Inc.
# All rights reserved.
# Modifications: configuration parameters
# --- END COPYRIGHT BLOCK ---
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.base}/logs/catalina.out
log4j.appender.R.MaxFileSize=10MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
log4j.logger.org.apache.catalina=DEBUG, R
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG,
R
log4j.logger.org.apache.catalina.core=DEBUG, R
log4j.logger.org.apache.catalina.session=DEBUG, R
#resteasy
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) -
%m%n
log4j.rootLogger=warn, stdout
log4j.rootCategory=debug, stdout
log4j.category.org.jboss.resteasy.core=debug
log4j.category.org.jboss.resteasy.plugins.providers=debug
log4j.category.org.jboss.resteasy.specimpl=debug
log4j.category.org.jboss.resteasy.plugins.server=debug
log4j.logger.org.jboss.resteasy.mock=debug
8 years, 3 months